[GH-ISSUE #1190] Bootstrap user when starting docker container #839

New issue

Closed

opened 2026-05-07 00:27:55 +02:00 by BreizhHardware · 3 comments

BreizhHardware commented

2026-05-07 00:27:55 +02:00

Owner

Originally created by @Cheezzhead on GitHub (Sep 26, 2024).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1190

I would like to bootstrap my ntfy users, to avoid having to make a backup of the auth.db file. This involves creating each user with the CLI before starting the main ntfy process. Unfortunately, doing this on a fresh server throws the error auth-file does not exist; please start the server at least once to create it. As far as I can see, the only way to create this auth-file is to run ntfy serve at least once, kill the server and then restart. This seems... not ideal.

When it comes to the ephemerality (if that's a word) of docker containers, it is common practice to bootstrap users in this way; for example, official docker database images such as postgres allow you to define a user with environment variables to be created on startup.

Following those standards, the best way to solve this would be to add similar environment variable functionality (e.g. NTFY_USER and NTFY_PASSWORD), creating this user if it is supplied. Alternatively, providing a CLI (sub)command to create the auth.db file (other than running ntfy serve and then forcefully killing it once) would also be beneficial. I don't know which of these is easier, I guess it depends on where/how the auth file is created in the internal code.

Also it's entirely possible that there is already such a method and I haven't looked closely enough.

compose.yml

ntfy:
    image: binwiederhier/ntfy:latest
    container_name: ntfy
    #command: [serve]
    entrypoint: /bootstrap_users.sh
    secrets: [ntfy-admin-pass, other-pass]
    environment:
      NTFY_BASE_URL: https://ntfy.${DOMAIN}
      NTFY_BEHIND_PROXY: true
      NTFY_UPSTREAM_BASE_URL: https://ntfy.sh
      # Access control
      NTFY_ENABLE_LOGIN: true
      NTFY_ENABLE_SIGNUP: false
      NTFY_AUTH_DEFAULT_ACCESS: deny-all
      NTFY_AUTH_FILE: /var/lib/ntfy/auth.db
      # Caching
      NTFY_CACHE_FILE: /var/lib/ntfy/cache.db
      NTFY_ATTACHMENT_CACHE_DIR: /var/lib/ntfy/attachments
    volumes:
      - ./ntfy/bootstrap_users.sh:/bootstrap_users.sh:ro
      - ntfy_data:/var/lib/ntfy

bootstrap_users.sh

# Admin
NTFY_PASSWORD="$(cat /run/secrets/ntfy-admin-pass)" ntfy user add --role=admin admin

# Readers
if NTFY_PASSWORD="$(cat /run/secrets/...)" ntfy user add some-reader; then
    ntfy access reader "*" read
fi

// etc..

# Run
cd /usr/bin || exit 1
ntfy serve

Originally created by @Cheezzhead on GitHub (Sep 26, 2024). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1190 I would like to bootstrap my ntfy users, to avoid having to make a backup of the `auth.db` file. This involves creating each user with the CLI before starting the main ntfy process. Unfortunately, doing this on a fresh server throws the error `auth-file does not exist; please start the server at least once to create it`. As far as I can see, the only way to create this auth-file is to run `ntfy serve` at least once, kill the server and then restart. This seems... not ideal. When it comes to the ephemerality (if that's a word) of docker containers, it is common practice to bootstrap users in this way; for example, official docker database images such as [postgres](https://hub.docker.com/_/postgres) allow you to define a user with environment variables to be created on startup. Following those standards, the best way to solve this would be to add similar environment variable functionality (e.g. `NTFY_USER` and `NTFY_PASSWORD`), creating this user if it is supplied. Alternatively, providing a CLI (sub)command to create the `auth.db` file (other than running `ntfy serve` and then forcefully killing it once) would also be beneficial. I don't know which of these is easier, I guess it depends on where/how the auth file is created in the internal code. Also it's entirely possible that there is already such a method and I haven't looked closely enough. compose.yml ``` ntfy: image: binwiederhier/ntfy:latest container_name: ntfy #command: [serve] entrypoint: /bootstrap_users.sh secrets: [ntfy-admin-pass, other-pass] environment: NTFY_BASE_URL: https://ntfy.${DOMAIN} NTFY_BEHIND_PROXY: true NTFY_UPSTREAM_BASE_URL: https://ntfy.sh # Access control NTFY_ENABLE_LOGIN: true NTFY_ENABLE_SIGNUP: false NTFY_AUTH_DEFAULT_ACCESS: deny-all NTFY_AUTH_FILE: /var/lib/ntfy/auth.db # Caching NTFY_CACHE_FILE: /var/lib/ntfy/cache.db NTFY_ATTACHMENT_CACHE_DIR: /var/lib/ntfy/attachments volumes: - ./ntfy/bootstrap_users.sh:/bootstrap_users.sh:ro - ntfy_data:/var/lib/ntfy ``` bootstrap_users.sh ``` # Admin NTFY_PASSWORD="$(cat /run/secrets/ntfy-admin-pass)" ntfy user add --role=admin admin # Readers if NTFY_PASSWORD="$(cat /run/secrets/...)" ntfy user add some-reader; then ntfy access reader "*" read fi // etc.. # Run cd /usr/bin || exit 1 ntfy serve ```

BreizhHardware

2026-05-07 00:27:55 +02:00

closed this issue
added the
enhancement
label

BreizhHardware commented

2026-05-07 00:27:55 +02:00

Author

Owner

@fiveangle commented on GitHub (Jan 6, 2025):

Fully agree. In fact, I am struggling to find a list of all docker compose environment variables available so that I can perform ALL configuration in the docker-compose file, as customary in all my centrally-managed container deployments. The documentation at first alludes that all confiuration must be done in the offline server.yaml config file. Then as you read the docs, it is revlealed piecemeal that more configuration can be performed in the docker compose file, but there is no comprehensive list that I've been able to find in the repo. I'll keep digging...

@fiveangle commented on GitHub (Jan 6, 2025): Fully agree. In fact, I am struggling to find a list of all docker compose environment variables available so that I can perform ALL configuration in the docker-compose file, as customary in all my centrally-managed container deployments. The documentation at first alludes that all confiuration must be done in the offline server.yaml config file. Then as you read the docs, it is revlealed piecemeal that more configuration can be performed in the docker compose file, but there is no comprehensive list that I've been able to find in the repo. I'll keep digging...

BreizhHardware commented

2026-05-07 00:27:55 +02:00

Author

Owner

@wunter8 commented on GitHub (Jan 6, 2025):

@fiveangle here's a list of the config options: https://docs.ntfy.sh/config/#config-options

NTFY_CONFIG_FILE is missing from the table (just by accident, not intentionally). If anything else is missing from the table, it's probably safe to assume it follows the same naming conventions (e.g., make the server.yml param uppercase, prepend "NTFY_", convert dash to underscore)

You can also see all these env variables listed in the output of ntfy server --help

@wunter8 commented on GitHub (Jan 6, 2025): @fiveangle here's a list of the config options: https://docs.ntfy.sh/config/#config-options NTFY_CONFIG_FILE is missing from the table (just by accident, not intentionally). If anything else is missing from the table, it's probably safe to assume it follows the same naming conventions (e.g., make the server.yml param uppercase, prepend "NTFY_", convert dash to underscore) You can also see all these env variables listed in the output of `ntfy server --help`

BreizhHardware commented

2026-05-07 00:27:56 +02:00

Author

Owner

@binwiederhier commented on GitHub (Jul 31, 2025):

This will be fixed with the next release, see https://docs.ntfy.sh/config/#access-control

@binwiederhier commented on GitHub (Jul 31, 2025): This will be fixed with the next release, see https://docs.ntfy.sh/config/#access-control